Advice Request Is F-Secure sleeping again?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

marcopaone

Level 7
Thread author
Verified
Well-known
Jul 15, 2016
321
HI!

On VirusTotal Avira detect the ransomware as JAVA/SMSSend.zgxoh. But why not f-secure?
EDIT:
I tried to open it and anyway f-secure does not block it.
Result. System is Infected and files are encrypted.
1607278100517.png

1607278129974.png

1607278150626.png
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :


That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?
 

marcopaone

Level 7
Thread author
Verified
Well-known
Jul 15, 2016
321
Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :


That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?
Also I tried to open it and anyway f-secure does not block it.
System is Infected and files are encrypted .
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
F-Secure Capricorn engine (Avira) may have a small delay time in updates compared to Avira proprietary solutions, but it isnt anything significant, just today were released 15 updates to it, so we can assume that the detection was included after you tested with a database update.

Anyway F-Secure DeepGuard should protect the machine in those situations, but unfortunately it didnt happen.

F-Secure Latest Database Updates for F-Secure Capricorn (f-secure.com)
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
If this is bypassing CFA it must be using some sort of special technique to encrypt. CFA is very protective and doesn’t have much of a whitelist, it also causes a lot of false positives.
That’s probably part of why DeepGuard was defeated.
It might be worth trying some of the other strong behavior blockers like Kaspersky or Emsisoft.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top